07/18/2019 | News release | Distributed by Public on 07/18/2019 09:53
Securing access to your APT repositories is critical. At Cloudflare, like in most organizations, we used a legacy VPN to lock down who could reach our internal software repositories. However, a network perimeter model lacks a number of features that we consider critical to a team's security.
As a company, we've been moving our internal infrastructure to our own zero-trust platform, Cloudflare Access. Access added SaaS-like convenience to the on-premise tools we managed. We started with web applications and then moved resources we need to reach over SSH behind the Access gateway, for example Git or user-SSH access. However, we still needed to handle how services communicate with our internal APT repository.
We recently open sourced a new APT transport which allows customers to protect their private APT repositories using Cloudflare Access. In this post, we'll outline the history of APT tooling, APT transports and introduce our new APT transport for Cloudflare Access.
A brief history of APT
Advanced Package Tool, or APT, simplifies the installation and removal of software on Debian and related Linux distributions. Originally released in 1998, APT was to Debian what the App Store was to modern smartphones - a decade ahead of its time!
APT sits atop the lower-level dpkg tool, which is used to install, query, and remove .deb packages - the primary software packaging format in Debian and related Linux distributions such as Ubuntu. With dpkg, packaging and managing software installed on your system became easier - but it didn't solve for problems around distribution of packages, such as via the Internet or local media; at the time of inception, it was commonplace to install packages from a CD-ROM.
APT introduced the concept of repositories - a mechanism for storing and indexing a collection of .deb packages. APT supports connecting to multiple repositories for finding packages and automatically resolving package dependencies. The way APT connects to said repositories is via a 'transport' - a mechanism for communicating between the APT client and its repository source (more on this later).
APT over the Internet
Prior to version 1.5, APT did not include support for HTTPS - if you wanted to install a package over the Internet, your connection was not encrypted. This reduces privacy - an attacker snooping traffic could determine specific package version your system is installing. It also exposes you to man-in-the-middle attacks where an attacker could, for example, exploit a remote code execution vulnerability. Just 6 months ago, we saw an example of the latter with CVE-2019-3462.
Enter the APT HTTPS transport - an optional transport you can install to add support for connecting to repositories over HTTPS. Once installed, users need to configure their APT sources.list with repositories using HTTPS.
The challenge here, of course, is that the most common way to install this transport is via APT and HTTP - a classic bootstrapping problem! An alternative here is to download the .deb package via curl and install it via dpkg. You'll find the links to apt-transport-https binaries for Stretch here - once you have the URL path for your system architecture, you can download it from the deb.debian.org mirror-redirector over HTTPS, e.g. for amd64 (a.k.a. x86_64):
To confirm which APT transports are installed on your system, you can list each 'method binary' that is installed:
With apt-transport-https installed you should now see 'https' in that list.
The state of APT & HTTPS on Debian
You may be wondering how relevant this APT HTTPS transport is today. Given the prevalence of HTTPS on the web today, I was surprised when I found out exactly how relevant it is.
Up until a couple of weeks ago, Debian Stretch (9.x) was the current stable release; 9.0 was first released in June 2017 - and the latest version (9.9) includes apt 1.4.9 by default - meaning that securing your APT communication for Debian Stretch requires installing the optional apt-transport-https package.
Thankfully, on July 6 of this year, Debian released the latest version - Buster - which currently includes apt 1.8.2 with HTTPS support built-in by default, negating the need for installing the apt-transport-https package - and removing the bootstrapping challenge of installing HTTPS support via HTTPS!
BYO HTTPS APT Repository
A powerful feature of APT is the ability to run your own repository. You can mirror a public repository to improve performance or protect against an outage. And if you're producing your own software packages, you can run your own repository to simplify distribution and installation of your software for your users.
If you have your own APT repository and you're looking to secure it with HTTPS we've offered free Universal SSL since 2014 and last year introduced a way to require it site-wide automatically with one click. You'll get the benefits of DDoS attack protection, a Global CDN with Caching, and Analytics.
But what if you're looking for more than just HTTPS for your APT repository? For companies operating private APT repositories, authentication of your APT repository may be a challenge. This is where our new, custom APT transport comes in.
Building custom transports
The system design of APT is powerful in that it supports extensibility via Transport executables, but how does this mechanism work?
When APT attempts to connect to a repository, it finds the executable which matches the 'scheme' from the repository URL (e.g. 'https://' prefix on a repository results in the 'https' executable being called).
APT then uses the common Linux standard streams: stdin, stdout, and stderr. It communicates via stdin/stdout using a set of plain-text Messages, which follow IETF RFC #822 (the same format that .deb 'Package' files use).
Examples of input message include '600 URI Acquire', and examples of output messages include '200 URI Start' and '201 URI Done':
If you're interested in building your own transport, check out the APT method interface spec for more implementation details.
APT meets Access
Cloudflare prioritizes dogfooding our own products early and often. The Access product has given our internal DevTools team a chance to work closely with the product team as we build features that help solve use cases across our organization. We've deployed new features internally, gathered feedback, improved them, and then released them to our customers. For example, we've been able to iterate on tools for Access like the Atlassian SSO plugin and the SSH feature, as collaborative efforts between DevTools and the Access team.
Our DevTools team wanted to take the same dogfooding approach to protect our internal APT repository with Access. We knew this would require a custom APT transport to support generating the required tokens and passing the correct headers in HTTPS requests to our internal APT repository server. We decided to build and test our own transport that both generated the necessary tokens and passed the correct headers to allow us to place our repository behind Access.
After months of internal use, we're excited to announce that we have recently open-sourced our custom APT transport, so our customers can also secure their APT repositories by enabling authentication via Cloudflare Access.
By protecting your APT repository with Cloudflare Access, you can support authenticating users via Single-Sign On (SSO) providers, defining comprehensive access-control policies, and monitoring access and change logs.
Our APT transport leverages another Open Source tool we provide, cloudflared, which enables users to connect to your Cloudflare-protected domain securely.
Securing your APT Repository
To use our APT transport, you'll need an APT repository that's protected by Cloudflare Access. Our instructions (below) for using our transport will use apt.example.com as a hostname.
To use our APT transport with your own web-based APT repository, refer to our Setting Up Access guide.
APT Transport Installation
To install from source, both tools require Go - once you install Go, you can install `cloudflared` and our APT transport with four commands:
The above commands should place the cloudflared executable in /usr/local/bin (which should be on your PATH), and the APT transport binary in the required /usr/lib/apt/methods directory.
To confirm cloudflared is on your path, run:
The above command should return /usr/local/bin/cloudflared
Now that the custom transport is installed, to start using it simply configure an APT source with the cfd:// rather than https:// e.g:
Next time you do `apt-get update` and `apt-get install`, a browser window will open asking you to log-in over Cloudflare Access, and your package will be retrieved using the token returned by `cloudflared`.
Fetching a GPG Key over Access
Usually, private APT repositories will use SecureApt and have their own GPG public key that users must install to verify the integrity of data retrieved from that repository.
Users can also leverage cloudflared for securely downloading and installing those keys, e.g:
The first command will open your web browser allowing you to authenticate for your domain. The second command wraps curl to download the GPG key, and hands it off to `apt-key add`.
Cloudflare Access on 'headless' servers
If you're looking to deploy APT repositories protected by Cloudflare Access to non-user-facing machines (a.k.a. 'headless' servers), opening a browser does not work. The good news is since February, Cloudflare Access supports service tokens - and we've built support for them into our APT transport from day one.
If you'd like to use service tokens with our APT transport, it's as simple as placing the token in a file in the correct path; because the machine already has a token, there is also no dependency on `cloudflared` for authentication. You can find details on how to set-up a service token in the APT transport README.
As demonstrated, you can get started using our APT transport today - we'd love to hear your feedback on this!
This work came out of an internal dogfooding effort, and we're currently experimenting with additional packaging formats and tooling. If you're interested in seeing support for another format or tool, please reach out.